Policy Document
Security Program Overview
Version 2026.3 · Updated February 8, 2026
Control baseline
| Domain | Control implementation |
|---|---|
| Identity and access | Tenant-scoped bearer auth, role + scope checks, strict x-tenant-id binding |
| Webhook integrity | HMAC-SHA256 signatures, idempotency replay ledger, exponential retry/backoff |
| Auditability | Immutable audit events for policy updates, webhook actions, portability/deletion requests |
| Privacy by default | No PHI in telemetry or outbound notifications, redacted structured server logging |